My speech on the first day of Data Privacy Asia, being held September 19 and 20 in Manila, Philippines, is “Beyond Compliance: Ethics, Technology and Trust.” Within the speech I’m going to explain how privacy is dependent upon, and impacts, ethics, trust and technology. I am going to also provide a dozen ways that I have identified throughout the past couple of decades for how addressing and implementing a comprehensive privacy protection brings business value.
While those at the conference will get the benefit of my full speech, I am providing here a very high-level listing of those twelve reasons so that everyone can benefit from realizing that addressing privacy within any type of organization, and within all services and products that touch personal data in any way, brings many business values, and should not be brushed aside or minimized in importance.
1. To meet compliance requirements
This is the benefit that is most often touted, so I’ll start with it. Organizations that do not implement privacy protection face huge fines in the tens of millions of dollars (now the possibilities are even higher under the EU GDPR) and up to 20-year penalties for non-compliance with laws, regulations, standards and their own published privacy and security notices. Organizations also risk losing valuable business relationships by not complying with their contractual requirements for privacy protections.
2. To prevent breaches that hurt businesses
A privacy principle that is common to all international privacy principles, and a requirement in all data protection and privacy legal requirements is implementing strong security safeguards to protect personal data. Organizations that implement such controls will, as a result, reduce the number of security incidents that result in privacy breaches. Fewer breaches mean the business does not lose trust, then resultingly lose customers or other types of business. It also means the business does not have to deal with fines, multi-year penalties, or civil suits as an after effect of breaches.
3. To prevent breaches that hurt data subjects / individuals
Privacy protections involve ensuring strong security for personal data and all the associated activities involved with collecting, storing, processing, accessing transmitting, sharing and disposing of the data. Historically organizations have not had comprehensive, strong data security controls implemented throughout the entire enterprise, through to every end-device. By implementing security controls for personal data, breaches that negatively impact the data subjects will be avoided. Consider for example the results from just one security solution that in Q2 2018 blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe. Those could have resulted in breaches of personal data that could have harmed the associated data subjects, in really unlimited ways, if they were successful. I have a friend who became a privacy lawyer as a result of her personal data being breached in the 1990s that resulted in identity fraud. She is still spending time and money counteracting the results of that fraud to this very day.
4. To maintain and improve brand value
A Forbes Insights report stated that 46% of organizations suffered damage to their reputation and brand value as a result of a privacy breach. Organizations that explicitly make clear that protecting the privacy of their consumers is a primary goal, care about their consumers’ privacy, and support meeting that goal with transparent and consistently followed privacy practices that demonstrate this care, will build emotional connections to their brand, which will improve brand value.
5. To strengthen and grow business
A Pew report found that it was important to 93% of Americans to have control over the entities and individuals who are allowed to get information about them, and 90% said that they wanted to control the specific types of information that was collected about them. These attitudes seem to be similar worldwide. Businesses that implement privacy protections, which provide such controls, will strengthen and grow their business, as they become preferred by consumers over their competitors which do not provide such controls.
6. To support ethics
Most organizations have established business ethics policies, or a code of ethics. Even those that haven’t still need to follow ethical practices if they expect to stay in business for any length of time. Such ethics policies typically indicate something to the effect that confidential information will be handled responsibly, not used in business activities in ways that do harm as a result, and used only as indicated for business purposes. But yet I’ve had the sales, marketing and legal areas of many of my clients throughout my entire career tell me that if there is not a law against using personal data, then they are not prohibited from using it in ways that will benefit their companies. Even if it means it could expose the associated data subjects to unwanted communications, at the least, or result in identity fraud, or physical harm through locations being exposed, at the worst. Certainly, business ethics that claim they do not want to do harm are in conflict with such actions.
7. To maintain public, investor and customer trust
According to a Ponemon study commissioned by Centrify, 65% of individuals whose personal data was breached lost trust in the organization that experienced the breach (either directly, or as a result of a breach in one of their contracted vendors). One in four individuals breached took their business elsewhere. Organizations that do not implement privacy protections, and subsequently experience breaches, will lose trust, which in turn will result in lower profits and fewer customers.
8. To support your customers’ wishes
The general public is much more privacy aware now than they have ever been before. And, as our youngest population learn more about privacy throughout grade schools and high schools, they are having increased expectations, even before entering adulthood, that they have increasing rights over how their own personal data is collected, used, analyzed, and shared. The general public is becoming more aware of all their increasing rights to tell those that collect their personal data that they expect to have their personal data protected, and have rights to access and control their personal data. Every day I get at least one message from some type of privacy rights group that wants the message recipients to know and take action to demand privacy rights. In fact, as I was writing this article, I received such an email message from one of these groups with the subject line, “Tell Google to stop secretly tracking users’ locations.”
9. To be a competitive differentiator and gain a competitive advantage
Close to 75% of internet-using households in the US had significant concerns about online privacy and security risks in 2017, and 1/3 of these indicated that they chose to not do actions online because of those worries. These significant worries about privacy, and how it impacts the actions of the public, demonstrate that if your organization can show that you truly care about the privacy of the personal data your collect and processes, you will have a significant advantage over your competitors who do not make privacy a priority.
10. To increase physical safety
Lack of privacy protections has resulted in tragic physical harms to the associated individuals. One of the first USA state privacy laws, the “Driver’s Privacy Protection Act” which was implemented in California in 1997, was created largely as a response to the 1989 murder of Rebecca Schaeffer, an actress on the USA TV show “My Sister Sam” who was stalked by a fan who obtained her home address simply by going to the California State Department of Transportation then went to her home and shot her. Incidents similar to this have continued, worldwide, to the present. Protecting personal data so often also protects the physical safety of the data subjects.
11. To build customer loyalty
In 2017, research firm Baringa Partners conducted a survey about consumer attitudes toward data protection. Here’s a portion of their findings:
“Our results reveal companies risk losing up to 55% of customers if they suffer a significant personal data leak. We looked at consumer attitudes towards companies in the banking, insurance, energy, and TV, phone and internet sectors. We found that, in the event of a data breach, 30% of people would switch provider immediately and a further 25% would wait to see a media response or what others say and do before switching to another provider.”
And it isn’t just large corporations at risk. All sizes of organizations will lose customers following a breach. In the USA, a recent Bank of America research report revealed that “nearly 40 percent of consumers have had their credit or debit card, bank account or other personal financial information stolen. And 20 percent of those consumers who have had their information stolen said they would not shop with a small business that has experienced a data breach.”
12. To support innovation
Too many people claim that building security and privacy controls into new technologies, products and services stifles innovation. That is complete hogwash! Actually, when privacy is purposefully addressed within new innovations, it expands and improves innovations. It does not inhibit them. The public is demanding that privacy be protected. Privacy should be viewed as not just a differentiator or something to be done if legally required, but a standard requirement for any new technology or service involving personal data. It takes more innovation to create secure privacy-protecting devices that mitigate privacy risk than it does to simply leave out such controls.
If you have any questions on this topic, just let me know. If you will be attending Data Privacy Asia conference in Manila, Philippines on September 19 and 20, this will give you a peek into my talk, “Beyond Compliance: Ethics, Technology and Trust,” and allow you to determine any related questions; if not during my talk, certainly at some point during the conference breaks, meals, or other activities.
For a couple of other previews to the Data Privacy Asia conference, you can listen to:
I look forward to covering the wide range of privacy issues that must be addressed by every business, and every individual, in the coming months within this blog feature! If you have a topic to suggest, just let me know. I always appreciate knowing the topics that are at top of mind for our readers.